The Private Sector: A Reluctant Partner in Cybersecurity

Amitai Etzioni

December 19, 2014

It may seem obvious that the private sector should be keen to protect its computers and networks from cyber-attacks by criminals and foreign agents. After all, hacking has caused considerable losses of trade secrets and other proprietary information. Moreover, evidence suggests that cyber-attacks can take a kinetic form, which can harm the equipment and facilities—such as the national electrical grid—of those attacked. However, as will be seen shortly, the private sector is far from rushing to protect itself from such attacks. The reasons for this reluctance range from the understandably pragmatic to the ideological. Meanwhile, in spite of major implications of this reluctance for homeland security, both the Bush and the Obama administrations have limited themselves to cajoling the private sector to embrace much stronger cybersecurity measures rather than mandating their introduction.

Threat Levels

Private sector firms suffer considerable damage from cybersecurity breaches. A report from the Center for Strategic and International Studies finds that the costs to the global economy—which encompass losses of intellectual property, outright cybercrime, unauthorized access to confidential business and stock information, the costs of recovering from cyber-attacks, and the value of reputational damages—of malicious cyber activity are “probably … [as much as] $400 billion”—or even $1 trillion per year. The United States alone is estimated to suffer up to $120 billion in economic losses.[1] In 2012, one metallurgical corporation reportedly “lost technology to China’s hackers that cost $1 billion and 20 years to develop.”[2] In some cases, companies have been driven entirely out of business by Chinese hackers’ persistent cyber espionage.[3] One report estimates that 508,000 American jobs have been lost due to cybercrime.[4] General Keith Alexander, until recently the director of the NSA and commander of United States Cyber Command, has estimated that economic espionage, including the kind practiced by Chinese and Russian hackers, represents “the greatest transfer of wealth in history.”[5]

No industry is immune: cybersecurity firm Mandiant estimated in 2006 that cyber-attacks tied to China’s People’s Liberation Army (PLA) alone targeted twenty separate, major industries including telecommunications, energy, and aerospace.[6] Even Google—arguably one of the most sophisticated companies in the world with regard to computer networks—fell victim to a complex hack that originated in China, during which the hackers “appropriated some of Google’s search engine source codes, a vital piece of intellectual property.”[7]

These estimates of losses do not include the legal costs of data breaches and those resulting from losses in consumer confidence; moreover, companies are often forced to pay fines when their cybersecurity measures fail to protect consumer information. Heartland Payment Systems, for example, was slapped with $150 million in fines and legal costs that stemmed from a 2007 cybersecurity breach in which more than 100 million credit and debit card numbers were illegally obtained by hackers.[8] One research institute estimated that malicious attacks cost American firms $277 per customer or user whose information was put in jeopardy by companies’ cybersecurity failures.[9] Nevertheless, many corporations resist introducing many of the cybersecurity measures recommended by the U.S. government.

Reasons for Weak Private Sector Response

The private sector’s reluctance to adopt strong cybersecurity measures is driven by a combination of principles and practical concerns. Four of the most frequently articulated arguments against government mandated private sector cybersecurity standards follow.

First, significant segments of the private sector consider proposed requirements to introduce cybersecurity measures to be an additional form of government regulation. The Business Software Alliance opposes placing “undue regulatory burdens on industry,”[10] and the United States Chamber of Commerce objects to “legislation establishing regulatory-based cybersecurity standards.”[11] The Heritage Foundation rejected the same bill because it would “create a cumbersome regulatory process.” These and other corporate leaders and economically conservative commentators adhere to the laissez-faire and libertarian principles that private enterprise has a right to be let alone by the government and that the private sector is capable of independently determining how much and what kind of cybersecurity it needs.

However, as James A. Lewis, a highly regarded cybersecurity expert at the Center for Strategic and International Studies, points out, “The market has failed to secure cyberspace. A ten-year experiment in faith-based cybersecurity has proven this beyond question.”[12] That is, ten years after the industry’s conversation about private sector cybersecurity began, corporations continued to be inundated with cybersecurity breaches. Christopher Cox, former chairperson of the Security and Exchange Commission, put it more bluntly: “Voluntary regulation [of cybersecurity] does not work.”[13]

Because corporations are considered rational actors, one might well expect that they would voluntarily take measures to protect their trade secrets and hence profits. The economic reasons they often do not are varied. CEOs have been shown to focus on short-term costs and benefits, to the detriment of longer-term effects. The consequences of stolen trade secrets often take years to unfold because competitors need time to use the information they gained to build and market their own products. Moreover, humans tend to be poor at assessing the probabilistic costs of their actions.[14] Therefore, it is unsurprising that CEOs and other executives seem to underestimate even the short-term consequences of failing to shore up cybersecurity. This problem is compounded by executives’ inexperience with technology. “Most [board members and executives] have gray hair,” one banker and media executive said. “It’s like having someone who has never paid any attention to their health talk to a doctor.”[15] One expert on cybersecurity, meanwhile, writes, “Cyber-security resembles environmental law in that both fields are primarily concerned with negative externalities. Just as firms tend to underinvest in pollution controls because some costs of their emissions are borne by those who are downwind, they also tend to underinvest in cyber-defenses because some costs of intrusions are externalized onto others.”[16] Whatever the reasons, The Wall Street Journal reports that in the first six months of 2014 alone “1,517 U.S.-traded firms … have cited hacking as a business risk in filings,” and that “federal officials and others say many companies remain ignorant of, and unprepared for, Internet intruders.”[17]

Second, other opponents of government cybersecurity regulations claim that government mandates will actually hamper cybersecurity and other innovations in the private sector. In 2012, the United States Chamber of Commerce called on Senate Republicans to filibuster a bill that would have established cybersecurity standards for private sector critical infrastructure, on the grounds that the bill could actually “hamper companies trying to defend against cyber intrusions.”[18] The argument seems to be that establishing clear standards for companies would impede their flexibility by forcing them to introduce cumbersome or inefficient cybersecurity measures. This may be true but corporations, as we have seen, have not filled the void on their own.

Third, private sector representatives have suggested that cybersecurity regulations would impose substantial costs, which the private sector would be incapable of meeting profitably. A company would need to spend millions in order to develop effective cybersecurity systems.[19] Given that about 82,000 strains of malware were created daily in one year alone (in 2013), it would take large sums of money to “stay ahead of the curve.”[20]

Furthermore, “businesses consider it unfair and inappropriate for the government to impose on private industries security requirements that businesses consider a public-sector responsibility. Such requirements are viewed as ‘unfunded mandates.’”[21] That is, corporate leaders argue that the provision of security is the job of the government; thus, they hold that if the government requires others to do part of the job by adding security measures above and beyond those they already independently introduce, the corporations should be compensated for the resulting costs. However, these claims are difficult to justify when one considers the size of many private sector corporations’ budgets: Target, the object of a very major December 2013 breach, had a $1.6 million cybersecurity system in place; it their revenues that year topped $72 billion—making Target’s investment in cybersecurity roughly 0.0002% of its revenue.[22]

In addition, the private sector has expressed concern that regulations mandating that corporations report cybersecurity breaches to the federal government, and share news of cyber threats with their industry peers, would cause them damaging publicity or lead to lawsuits alleging liability for damages to private citizens. One law office that provides corporate counsel estimated that Target’s “potential total costs could reach over $1 billion” following the breach in December 2013. Another source estimates that the cost of Target’s failure could top $18 billion once lost revenues due to negative publicity are factored in.[23]

In April 2014, the Senate introduced a bill that seeks to incentivize private sector sharing of cybersecurity data by providing liability protection against lawsuits.[24] Senator Dianne Feinstein, chair of the Senate Intelligence Committee, stated that the bill “allows companies to monitor their computer networks for cyber-attacks, promotes sharing of cyber threat information and provides liability protection for companies who share that information.”[25] However this bill has not been adopted.

Moreover, not all agree that the protection of corporations from liability will properly incentivize the private sector to adopt cybersecurity measures. Senator Jay Rockefeller has argued that offering “safe harbors” against liability for damages to third parties caused by breaches of cybersecurity in exchange for company compliance with President Obama’s new NIST Framework would not lead companies to develop dynamic, effective cybersecurity measures. Instead, “such an approach would likely have the opposite effect. … Giving companies unprecedented liability protections based on cybersecurity standards that they themselves have developed would increase the likelihood that the American taxpayers will one day find themselves on the hook for corporate bailouts of unknown scope following a cyber disaster.”[26]

A Reluctant Federal Government

In face of strong private sector opposition, the federal government has largely resorted to cajoling the private sector to implement cybersecurity measures and has eschewed mandatory regulation. Stewart Baker, who served as Assistant Secretary for Policy at the Department of Homeland Security, has described the fate of cybersecurity proposals advocated by Richard Clarke, the first White House cybersecurity czar. According to Baker, the proposal “sidled up toward new mandates for industry, would have formed a security research fund that would have drawn on contributions from technology companies, and would have increased pressure on Internet companies to provide security technology with their products. However, these requirements were viewed as too onerous for business by many within the Bush administration, and ultimately anything that could offend industry, anything that hinted at government mandates, was stripped out.’”[27] One bill proposed by Congress initially “called for mandatory minimum security standards” for the private sector, but the Chamber of Commerce and other corporate representatives opposed the regulations. To salvage the bill’s chances of passing, it was rewritten to advocate voluntary standards; nonetheless, the bill failed.[28] And President Obama, in a 2009 address regarding cybersecurity policy, explicitly stated, “My administration will not dictate security standards for private companies.”

Instead, the federal government has recently taken a number of preliminary steps to encourage the private sector to adopt more stringent cybersecurity measures. In August 2013, it identified a number of possible incentives that could be used to entice the private sector to adopt cybersecurity best practices, including “cybersecurity insurance, federal grants, and legal protections for companies that invest additional money in cybersecurity efforts.”[29] The government also offered sixteen critical infrastructure sectors guidance about how to shield themselves from cyber-attacks, but did not mandate compliance with its recommendations.[30] The General Services Administration, in conjunction with the Department of Defense, recommended that private sector entities be required to comply with “baseline” cybersecurity principles at all levels of the supply chain as a condition of being awarded contracts with the federal government.[31] However, this recommendation has not been adopted. Several pieces of legislation have been proposed in Congress to either sanction private sector entities that fail “to adopt ‘reasonable’ data security practices” or to grant the Federal Trade Commission authorization to craft cybersecurity regulations for the private sector.[32] However, like other proposed legislations, these drafted bills have not yet become law. Cybersecurity in the private sector, as the previous section has demonstrated, remains far from satisfactory.

Implications for Homeland Security

One might hold that if the private sector fails to protect itself from cyber-attacks, it will suffer the consequences and eventually mend its ways. The same line of thinking suggests that the government should focus on protecting its computers and networks, especially those that belong to the Departments of Defense and Homeland Security, the Central Intelligence Agency, and the Federal Bureau of Investigation. This is, in effect, the position that the Bush and Obama administrations have followed. However, this approach ignores that considerable amounts of defense and homeland security work are carried out by the private sector.

For fiscal year 2013, the federal government awarded a total of $460 billion in contracts, much of which seems to have gone to defense contractors.[33] In 2010, the Department of Defense spent about $400 billion of its $700 billion annual budget on private contractors that provided vehicles, armor, weapons, transportation, logistical support, and many other goods and services, which ranged from aircraft carriers and nuclear submarines to hand grenades and MREs. The federal government also outsources much of the work of intelligence collection and analysis to private sector contractors. About “one in four intelligence workers has been a private contractor, and 70 percent or more of the intelligence community’s secret budget has gone to private firms”.[34] And private security firms such as Blackwater—which has since been renamed Xe Services and, later, Academi—were contracted to protect diplomats,[35] offer counterterrorism training, and supplement U.S. military forces in Iraq and elsewhere.[36]

Thus, inadequate cybersecurity at private firms allows adversarial governments and nongovernmental actors to acquire information that could greatly harm U.S. defense and homeland security. To cite a recent example, on May 19, 2014, Attorney General Eric Holder Jr. announced charges against five members of the People’s Liberation Army’s Shanghai cyberunit and alleged that the hackers infiltrated the computer networks of several American corporations.[37] Among these were Allegheny Technologies, which provides “materials and components” to a diverse group of clients including defense contractors; and Alcoa, which manufactures a range of materials used in defense.[38] In the past, General Dynamics, Boeing, Lockheed Martin, Raytheon, and Northrop Grumman—the United States’ leading defense contractors[39]—have all fallen victim to hackers. And a cyber-espionage operation against Lockheed Martin in 2007 made it possible for China to steal design details of the F-35 Lightning II, which were subsequently used to develop China’s J-20 stealth fighter plane.[40]

Second, the private sector is responsible for supplying and maintaining much of the technology, which includes information technology, used by the government. The computers and software used by the Department of Defense—and other federal agencies—are themselves designed, manufactured, and often serviced by the private sector. Prior to the 1990s, the Pentagon used in-house programmers to design secure software tailored to the military’s needs. However, the military has since increasingly shifted to off-the-shelf commercial software as a means of cutting costs and satisfying Congress, which seems to be influenced by private sector lobbying.[41] These technologies are vulnerable not only because they are produced in the private sector, but also because the private sector often sources its equipment and components overseas—which includes China.

Third, the private sector is responsible for the maintenance of much of the United States’ critical infrastructure, including energy, telecommunications, transportation, health services, and banking and finances, among others. Without the private sector’s willing adoption of stronger cybersecurity measures, these critical services remain vulnerable to kinetic cyber-attacks. On June 6, 2014, the Financial Stability Oversight Council released a report that shows that the financial industry is vulnerable to cyber-attacks. It held that “cyber incidents that disrupt, degrade, or impact the integrity and availability of critical financial infrastructure … [could] threaten the stability of the financial system.”[42] Another June 2014 report from the Government Accountability Office cautioned that “maritime security plans required by law and regulation generally [do] not identify or address potential cyber-related threats.” Thus, private “maritime stakeholders” at U.S. ports, which handle more than $1.3 trillion in goods per year, remain vulnerable to cyber-attacks, which could shut down business communications, disable physical security systems, and more.[43]

In short, the difference between the public and private sectors is much smaller than is often assumed in public discourse.[44]There can be no reliable cybersecurity in the public realm unless there is also heightened cybersecurity in the private realm. The security chain is only as strong as its weakest link—and the private sector’s link is simultaneously poorly forged and critically important to U.S. defense and security.

What can be done? The private sector, especially those firms that manufacture defense items such as submarines and aircraft carriers as well as those that provide hardware and software to the government, would be much more attentive to cybersecurity needs if private corporations were to disqualify from receiving government contracts if these corporations that are not in full compliance with government cybersecurity standards. President Obama’s 2013 Cybersecurity Executive Order has called for this step, and the White House has directed a joint working group to “develop an implementation plan for these recommendations.”[45] However, this strong corrective assumes a different political climate, in which Congress, which is rather responsive to corporate lobbying, would allow the administration to set standards and develop blacklists. At the moment, such blacklists are not even in place for corporations that are found to engage in systematic corruption. One government agency might cease to grant an offending corporation contracts, but there is no list of corrupt corporations that other agencies can consult. The publication of articles like this one combined with increased public outcry on the subject might help change the political climate and advance cybersecurity.